Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1019675.1
Update Date:2011-11-02
Keywords:

Solution Type  Technical Instruction Sure

Solution  1019675.1 :   KMS - Tips To Successfully Add A KMA To A Cluster  


Related Items
  • Sun StorageTek Crypto Key Management System
  •  
Related Categories
  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
  •  
  • .Old GCS Categories>Sun Microsystems>Storage Software>Data Protection Software - Tape
  •  

PreviouslyPublishedAs
243526


Applies to:

Sun StorageTek Crypto Key Management System - Version: Not Applicable and later   [Release: N/A and later ]
All Platforms
Checked for relevance on 10-Feb-2011.

Goal

Tips to successfully add a KMA to a Cluster.

Solution


Steps to Follow
When adding a new KMA to an existing KMS Cluster, first the new KMA has to be defined in the KMS Cluster using the Create command on the KMA List screen while connected to an existing KMA in the Cluster. This will define the new KMA in the Cluster and allow the actual new KMA to join the Cluster.
Values that need to be entered carefully when Quickstarting the new KMA that is to be added/joined to the existing KMS Cluster:

   Joining KMA's Name - must match value defined in existing KMS Cluster for the new KMA
   IP address or hostname of existing KMA in KMS Cluster (i.e. the "target KMA") - needs to be correct so new KMA can find the existing KMS Cluster
   Joining KMA's passphrase - must match value defined in existing KMS Cluster for the new KMA
   Quorum Credentials - must match Quorum Credentials in existing KMS Cluster

Attributes of new KMA that may need checked in existing KMS Cluster:  
Failed Login Attempts - When a join of the new KMA fails due to an incorrect KMA passphrase, this value will be incremented. 
If this value is equal to or greater than the "Login Attempt Limit" value in the Security Parameters of the KMS Cluster, then the new KMA will be locked out and will not be able to join the KMS Cluster until the KMA's passphrase is reset in the KMS Cluster.

Join KMA to Existing Cluster potential problems:

1. Incorrect KMA Name for joining KMA entered  in Quickstart


On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Root CA Certificate
      Severity: Error
      Condition: Entity is not valid
      Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart, in this case it will be incorrect)
      Message Values:

Check KMA Name defined in KMS Cluster and enter correctly when Quickstarting new KMA again.


2. Incorrect IP address or hostname for target KMA or incorrect network configuration for joining KMA entered in Quickstart


On KMA already in Cluster there will not be any audits indicating the joining KMA was able to contact the target KMA.
Look for the following audit after the point in time when the join was performed:
      Operation: Retrieve Root CA Certificate
      Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart)
This is the first audit created in the Cluster when the joining KMA attempts to join the Cluster, if this audit does not exist (whether it is "Success" or "Error") then the joining KMA was not able to find the Cluster.

Check that IP address or hostname of target KMA is correct and enter correctly when Quickstarting new KMA again.
Also check that network configuration of joining KMA is correct and enter correctly when Quickstarting new KMA again.


3. Incorrect passphrase for joining KMA entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Entity Certificate
      Severity: Error
      Condition: Invalid Challenge response
      Entity ID: Name of joining KMA
      Message Values:

Verify correct passphrase for new KMA is being entered (if necessary reset passphrase for new KMA in Cluster) and enter correctly when Quickstarting new KMA again.


4. Joining KMA's passphrase entered incorrectly too many times in Quickstart

On KMA already in Cluster should see that new KMA's Failed Login Attempts value is equal to or greater than the Login Attempt Limit in the Cluster's Security Parameters.
On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Entity Certificate
      Severity: Error
      Condition: Failed login attempts limit exceeded
      Entity ID: Name of joining KMA
      Message Values:

Reset passphrase for new KMA in Cluster and enter passphrase correctly when Quickstarting new KMA again.


5. Incorrect Quorum User Name(s) on insufficient Quorum User Name(s) entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Join Cluster
      Severity: Error
      Condition: Invalid input
      Entity ID: Name of joining KMA
      Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...

Check "Quorum Key Split User Name" values to make sure they match what is defined in the cluster and that a sufficient number of them were provided and entered correctly when Quickstarting a new KMA again.


6. Incorrect Quorum User Passphrase(s) entered in Quickstart
 
On KMA already in Cluster should see error audit similar to:
      Operation: Join Cluster
      Severity: Error
      Condition: Invalid Quorum passphrase
      Entity ID: Name of joining KMA
      Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...

Verify correct passphrase(s) for Quorum are being entered and enter correctly when Quickstarting new KMA again.



@ KMS, KMA, Incorrect Quorum User Passphrase, Incorrect Quorum User Name, Joining KMA's passphrase entered incorrectly too many times in Quickstart,Incorrect IP address or hostname for target KMA, Incorrect KMA Name Cluster

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback